Client keytab ignored when CC has expired

Greg Hudson ghudson at MIT.EDU
Thu Jul 31 11:52:51 EDT 2014


On 07/31/2014 03:24 AM, Michael Osipov wrote:
> That sounds reasonable and should solve the issue. Albeit, I do think that the detection
> algorithm could be better and pursue a best-effort/match/seldom-fail approach. It make the
> entire process idiot-proof.

I have opened a ticket for this:

    http://krbdev.mit.edu/rt/Ticket/Display.html?id=7976

I'm not sure if the process can be made completely idiot-proof, but it
can certainly work better for the case where someone manually obtains
credentials for the same principal as the one in the client keytab.  If
a person gets credentials for a different principal, it's harder to be
predictable.


More information about the Kerberos mailing list